CVE-2023-41105 Overview
CVE-2023-41105 is an Input Validation Error vulnerability discovered in Python 3.11 through 3.11.4 that affects the os.path.normpath() function. When a path containing null bytes (\0) is passed to this function, the path is unexpectedly truncated at the first null byte occurrence. This behavior change from Python 3.10.x and earlier versions creates a security regression where filenames that would have been rejected for security reasons in previous versions are no longer rejected in Python 3.11.x.
This vulnerability represents a classic null byte injection attack vector that could be exploited to bypass security controls, particularly in applications that rely on path normalization for input validation and security filtering.
Critical Impact
Applications using os.path.normpath() for security-critical path validation may be vulnerable to path traversal attacks and security filter bypasses when processing untrusted input containing null bytes in Python 3.11.x environments.
Affected Products
- Python 3.11 through 3.11.4
- NetApp Active IQ Unified Manager (Windows)
Discovery Timeline
- 2023-08-23 - CVE-2023-41105 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-41105
Vulnerability Analysis
The vulnerability exists in Python's os.path.normpath() function, which is designed to normalize pathnames by collapsing redundant separators and up-level references. In Python 3.11.x, when a path containing embedded null bytes (\0) is processed, the function truncates the path at the first null byte rather than properly handling or rejecting the malformed input.
This represents a significant security regression because null byte injection is a well-known attack technique. Attackers can craft malicious paths like /var/www/safe_file.txt\0/../../../etc/passwd where security checks might validate the path before the null byte, but the underlying file system operations could interpret the truncated path differently.
The root cause relates to how Python 3.11 handles C-string operations internally, where null bytes traditionally serve as string terminators. This inconsistency between Python's string handling and the underlying C implementation creates an exploitable condition.
Root Cause
The vulnerability stems from improper input validation in the os.path.normpath() function when processing paths containing null bytes. In Python 3.10.x and earlier versions, the function would either reject or properly handle such inputs. However, the Python 3.11.x implementation introduced a regression where null bytes cause unexpected string truncation during path normalization operations.
This is classified as CWE-426, which relates to untrusted search path vulnerabilities. The fundamental issue is that the function fails to properly sanitize or reject paths containing null bytes, leading to security-relevant path truncation that can bypass application-level security controls.
Attack Vector
The attack vector is network-based, allowing remote attackers to exploit this vulnerability without requiring authentication or user interaction. An attacker can submit a specially crafted path containing null bytes to any application that:
- Accepts user-controlled file paths
- Uses os.path.normpath() for path normalization or security validation
- Runs on Python 3.11 through 3.11.4
The attack mechanism involves embedding a null byte after an innocuous-looking path component, followed by malicious path traversal sequences. When the path is normalized, everything after the null byte may be truncated, potentially allowing the attacker to access files outside the intended directory or bypass filename blacklists.
For example, an application checking if a requested file is within a safe directory might approve a path like /uploads/document.txt\0/../../../etc/passwd because the normalization truncates it to /uploads/document.txt, but subsequent file operations might behave differently depending on how the path is processed downstream.
Detection Methods for CVE-2023-41105
Indicators of Compromise
- HTTP requests or file access attempts containing null bytes (%00 or \\x00) in file path parameters
- Application logs showing unusual path normalization behavior or unexpected file access patterns
- File access attempts to sensitive system files that bypass normal path validation
- Error logs indicating path-related issues following path normalization operations
Detection Strategies
- Implement application-level logging to capture all path inputs before and after normalization, flagging any that contain null bytes
- Deploy web application firewalls (WAF) configured to detect and block requests containing null byte sequences in URL paths and parameters
- Monitor Python application logs for path normalization anomalies or unexpected file access patterns
- Use runtime application self-protection (RASP) tools to detect null byte injection attempts in real-time
Monitoring Recommendations
- Enable verbose logging for file system operations in Python applications running version 3.11.x
- Configure security information and event management (SIEM) rules to alert on null byte patterns in web requests and file paths
- Implement file integrity monitoring for sensitive configuration and system files that could be targeted through path traversal
- Monitor for unusual process behavior or file access patterns that might indicate successful exploitation
How to Mitigate CVE-2023-41105
Immediate Actions Required
- Upgrade Python to version 3.11.5 or later where the vulnerability has been patched
- Audit all applications using os.path.normpath() for security-critical path validation
- Implement additional input validation to reject paths containing null bytes before calling os.path.normpath()
- Review and update any custom path validation logic that may rely on the previously secure behavior
Patch Information
The Python Security Team has addressed this vulnerability in subsequent releases. Organizations should update to Python 3.11.5 or later to receive the fix. The patches are available through the official Python CPython repository:
- GitHub Issue #106242 - Original issue report and discussion
- GitHub Pull Request #107981 - Primary fix implementation
- GitHub Pull Request #107982 - Backport patch
- GitHub Pull Request #107983 - Additional backport
For additional vendor-specific guidance, refer to the NetApp Security Advisory #ntap-20231006-0015 for Active IQ Unified Manager deployments.
Workarounds
- Implement pre-validation to check for and reject any paths containing null bytes before passing them to os.path.normpath()
- Use alternative path validation methods that do not rely solely on os.path.normpath() for security decisions
- Apply strict input sanitization at application entry points to filter null bytes from user-supplied path data
- Consider using os.path.realpath() in combination with explicit null byte checks as an additional safety measure
# Workaround: Validate paths for null bytes before normalization
import os
def safe_normpath(path):
"""Safely normalize a path, rejecting inputs with null bytes."""
if '\0' in path:
raise ValueError("Path contains null bytes")
return os.path.normpath(path)
# Example usage
user_input = "/var/www/uploads/file.txt"
try:
normalized = safe_normpath(user_input)
# Proceed with validated path
except ValueError as e:
# Handle malicious input
print(f"Rejected malicious path: {e}")
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
